CCIE Lab Center
CLC - CCIE Enterprise
Infrastructure v1.0:
Real Lab v1.0 - Design
CLC
Forum- https://cciestudygroup.org
Website- https://ccielabcenter.com
CCIE EI- Real Lab 1.0
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Released: 19-May-2021
Page 1
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Workbook Description
Author: CCIE Lab Center (CLC)
Focus: Real
Level: Expert (CCIE)
Stream: CCIE Enterprise Infrastructure
Lab Version: Lab 1.0_Module 1_Design_Final_Demo
Document Revision: 1.0.3
Document Revision Date: 19-May-2021
Content: Topology, Question, Resources
Format: PDF
Protection: DRM
Website: https://ccielabcenter.com
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 2
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
CCIE Enterprise Infrastructure Lab 1: Module 1: Design
Total 39 Questions
QUESTION 1
Welcome to the FABD2 company!
Please read all the available resources before starting the scenario by clicking ‘Next item’
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 3
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 2
Refer to the new resource(s) available.
Which action must be taken in addition to enabling Rapid PVST+ on all switches in the HQ to guarantee
that the user experience is improved?
a)
b)
c)
d)
Disable EtherChannel Misconfiguration Guard
Protect ports toward end hosts with BPDU Guard
Configure ports toward end hosts as edge ports
Protect port toward end hosts with BPDU Filter
Solution
Answer: c
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 4
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RSTP Deployment
From: Network Manager;
To: CCIE Candidate;
Subject: RSTP Deployment
Hi,
We’re very excited that you are with us on this journey we’re about to embark on. I know we haven’t
even got to the official meet and greet yet, but I figured I might just take advantages of your expertise
already.
Our junior engineer has been busy rolling out new switches around the HQ lately. However, it seems
that STP settings have been left at their defaults on all switches. This has resulted in poor
performance related to wherever a device was plugged in or removed from the network. Mangement
is convinced that simply by enabling Rapid PVST+ everywhere the performance of the network will
dramatically improve, but
I’m wondering if there are any additional settings that absolutely must be implemented so that, after
enabling RPVST+, the user experience is truly improved.
Best regards.
Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 5
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 3
Refer to the new resource(s) available.
Based on the description of the issue, what is the most likely reason?
a)
b)
c)
d)
Rapid PVST+ requires the use of LACP fast rate to support rapid convergence on EtherChannels.
Trunk ports are not considered as edge ports unless explicitly configured to.
The MAC aging time needs to be set to a value shorter than max_age+forward_delay.
PortFast is not enabled globally on the switches.
Solution
Answer: b
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 6
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: RSTP Deployment
From: Network Manager;
To: CCIE Candidate;
Subject: RE:RSTP Deployment
Hi,
Thanks for the response. We’re revisited our choices, had Rapid PVST+ enabled on HQ switches,
configured ports toward end hosts with PortFast, enabled BDPU Guard on the same ports and even
shortened the forward_delay_timer to 10 seconds.
Then our junior decided to test the improvement and so he configured a trunk port on sw110,
connected a Linux based host there, configured it with subinterfaces for each VLAN and had a set of
continuous pings running from the Linux toward both sw101 and sw102 in each VLAN while flapping
the uplinks from sw110 to both distri switches. He still saw outages of around 20 seconds. What’s
going on there? We are considering rolling back the changes unless we can explain and fix this
quickly.
Best regards
Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 7
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 4
Refer to the new resource(s) available.
Based on the diagram, what design change can be made to address the flapping EIGRP neighbor
between r24 and r70 without impacting the network connectivity to any other DMVPN location?
a)
b)
c)
d)
e)
On r70, enable EIGRP stub
On r21 and r70, put the WAN interfaces toward the SP into a front door VRF
On r70, only enable EIGRP on the r70 LAN interfaces and the DMVPN tunnel
On r70, do not advertise the 10.200.0.0/24 subnet in BGP
On r70, put the WAN interfaces toward the SP into a front door VRF
Solution
Answer:
Resources
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 8
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
DMVPN between DC and Branch #4
DMVPN between DC and Branch #4
Interface Loopback0
ip address 10.2.255.24 255.255.255.255
ip ospf 1 area 0
interface GigabitEthernet2
description To sw211
ip address 10.2.114.1 255.255.255.252
ip ospf 1 area 0
! Other config omitted
interface GigabitEthernet 3
description To sw212
ip address 10.2.114.1 255.255.255.252
ip ospf 1 area 0
! Other config omitted
interface Tunnel10
ip address 10.200.0.1 255.255.255.252
ip nhrp network-id 1010
ip nhrp map multicast dynamic
tunnel source Loopback0
tunnel mode gre multipoint
router eigrp ccie
address-family ipv4 autonomous-system 65006
network 10.200.0.1 0.0.0.0
r24
Tun0
Datacenter
BGP AS 65002
10.2.0.0/16
OSPF
r21
OSPF <-> eBGP
redistribution
eBGP
DMVPN
Tunnel
interface Loopback0
ip address 10.7.255.70 255.255.255.255
Global SP #1
interface Tunnel0
ip address 10.200.0.70 255.255.255.0
ip nhrp map 10.200.0.1 10.2.255.24
ip nhrp map multicast 10.2.255.24
ip nhrp network-id 1010
ip nhrp nha 10.200.0.1
tunnel source Loopback0
tunnel mode gre multipoint
router eigrp ccie
address-family ipv4 autonomous-system 65006
network 10.200.0.70 0.0.0.0
network 10.7.0.0 0.0.255.255
router bgp 65007
neighbor 100.6.70.1 remote-as 10000
neighbor 10.200.0.1 remote-as 65002
neighbor 10.200.0.1 local-as 65002
network 10.7.255.70 mask 255.255.255.255
network 10.200.0.0 mask 255.255.255.0
MPLS L3VPN
BGP AS 10000
eBGP
Tun0
r70
Branch #4
BGP AS 65007
10.7.0.0/16
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 9
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
EIGRP Adjacency Issues - Conversation
Anna
Network Manager ,sorry to interrupt you while
you’re on those improvement at HQ but I need
your help with a trouble ticket that just came in
from Branch #4. They say EIGRP adjacency
between r70 and r24 over the DMVPN tunnel
keeps going up and down. Syslog on r70 is just
filled with all kinds of logs so not sure what to
focus on first. One of the things I noticed is just
an ongoing churn of %DUAL-5-MERCHANGE
EIGRP IPv4 65006 logs saying logs saying the
EIGRP neighbor with r24 is up and then seconds
later it is back down again
Network Manager
Do you know if anything changed at that branch
or in those configs? isn’t that branch the
location where they were looking at maybe
doing BGP over the DMVPN tunnel instead of
EIGRP? Are any other branches having issues
with EIGRP neighboring to r24 over DMVPN?
No other branches are having issues at all I just
went into r24 and this is the only EIGRP
neighbor that is flapping And yes, you are right.
Branch #4 is the branch where they were going
to try to do BGP instead of EIGRP over the
DMVPN but remember, we haven’t enabled r24
to do BGP over the DMVPN session with r70
anyway-I just checked it.
Okay… let’s look at their configs and draw this
all out. I am sure it is something in r70 I think
remember us hitting something like this in our
original deployment of the DMVPN. And let’s
involve our CCIE-in-making to help us with this
too!
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 10
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 5
Refer to the new resource(s) available.
For each of the EtherChannel types, indicates whether the individual statement are true, if any (select all
that apply)
Statement
Provides the shortest link bundling time possible
Adds data plane overhead
Adds control plane overhead
Provides protection against miscabling
Allows automatic fallback to individual link
operation
Provides the widest vendor and implementation
interoperability
Supports Layer3 EtherChannels
Supports Layer2 EtherChannels
Provides protection against misconfiguration
Supports various load balancing modes
Type of EtherChannel
LACP EtherChannel
Static EtherChannel
Solution
Statement
Provides the shortest link bundling time possible
Adds data plane overhead
Adds control plane overhead
Provides protection against miscabling
Allows automatic fallback to individual link
operation
Provides the widest vendor and implementation
interoperability
Supports Layer3 EtherChannels
Supports Layer2 EtherChannels
Provides protection against misconfiguration
Supports various load balancing modes
Type of EtherChannel
LACP EtherChannel
Static EtherChannel
X
X
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 11
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
NIC teaming for servers in DC
From: Huge;
To: CCIE Candidate
Subject: NIC teaming for servers in DC
Good afternoon,
My name is Huge, and I am the team lead for the sever team. Network Manager referred me to you,
we had some technical details on the connectivity options for our servers and Travis suggested
picking your train on this. Thanks in advance
Long story short, our severs in DC are currently connected using single uplinks to the network. We
would like to migrate our servers to use NIC teaming. We’re running mostly E50 and some Windows
and Linux based severs and all support static and LACP-based teams –and that’s the thing, We don’t
really understand what the pros and cons of each variants are.
I’d appreciate if you could do a comparison of the static and LACP-based NIC, teams for us. Based on
this, we’ll decide on how to proceed
Thanks!
Server Team
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 12
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 6
Refer to the new resource(s) available.
What is the appropriate way to ensure that VXLAN-encapsulated traffic is properly load-balanced across
physical member links of an EtherChannel, and what is the rationale to do so?
a)
b)
c)
d)
Use L2+L3+L4-based hash, VXLAN VTEPs randomize the source UDP port
Use VXLAN deep packet inspection hash, load balancing is not possible otherwise
Use L2+L3-based hash, VXLAN VTEPs randomize the source IP address
Use L2-based hash, VXLAN VTEPs randomize the source MAC address
Solution
Answer:
Resources
RE:NIC teaming for servers in DC
From: Huge;
To: CCIE Candidate;
Subject: RE:NIC teaming for servers in DC
Good afternoon,
Thank you very much for the overview of the NIC teaming choices, I think that, based on your needs,
we we’ll go with LACP-based traffic.
I have an additional question. We would like to achieve the maximum possible load balancing across
the links in the traffic in both directions-both from and toward the servers. The majority of the traffic
handled by our servers in carried in TCP and UOP, but we are also experimenting with some of the
servers being VXLAN VTEPs and our concern is that because VXLAN is tunneled traffic, it will send to
get polarized to just one link in the traffic. Is there a way to load-balance the VXLAN traffic too?
Thanks a lot
Server Team
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 13
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 7
Refer to the new resource(s) available.
For each of the suggested configuration changes, indicate the event where the configuration would lead
to improved convergence, if any (select all that apply)
Configuration change
intend to improve
convergence time
Decrease Dead
interval
Decrease Hello timer
Increase Dead interval
Increase initial SPF
delay
Deploy BFD with the
timer/multiplier of
100ms/3
Increase Hello timer
Use point-to -point
network type where
possible
Decrease initial SPF
delay.
Event whose convergence time would be improved
Only a failure of a
Only a revival of a
Both failure and
router or a link
router or a link
revival of a routerlink
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 14
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Solution
Configuration change
intend to improve
convergence time
Decrease Dead
interval
Decrease Hello timer
Increase Dead interval
Increase initial SPF
delay
Deploy BFD with the
timer/multiplier of
100ms/3
Increase Hello timer
Use point-to -point
network type where
possible
Decrease initial SPF
delay.
Event whose convergence time would be improved
Only a failure of a
Only a revival of a
Both failure and
router or a link
router or a link
revival of a router or a
link
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 15
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
OSPF convergence issues in DC
From: Avia;
To: CCIE Candidate;
Subject: OSPF convergence issues in DC
Hey,
We briefly met before when we were troubleshooting the flapping EIGRP adjacency between DC and
Branch #4 over DMVPN. Thanks for giving us a helping hand there.
Travis said you could help with an issue we have been looking at for some time, but due to nobody
here really being into the technical details of OSPF, we haven’t gotten for up until now
The issue is on the convergence properties of OSPF which is currently running in our data center.
Because everthing seems to work, it is running with a very basic configuration and the OSPF
performance feels sloppy. What we would like to see is a sub-second convergence whenever there is
a change to the network topology. Given the vast amount of settings to OSPF, we need some some
pointers as to which ones are relevant for us to twisk and tune
Looking forward to your response
Regards,
FABD2 RP/WAN teams
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 16
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 8
Refer to the new resource(s) available.
This item consists of multiple questions, you may need to scroll down to be able to see all questions.
8.1 Which two solutions for decreasing the utilization of routing tables in HQ and DC locations are
applicable in FABD2’s current OSPF design? (Choose two.)
a)
b)
c)
d)
e)
Implementing multiple areas
Distribute lists
Summarization
Filter lists
Prefix suppression
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 17
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
8.2 For every solution intended to control the utilization of the routing tables in FABD2 HQ and DC,
select the correct characteristics if any. (select all characteristics that apply.)
Solution
Characteristics
Controls the
In most cases, configdistribution scope of
and-forget
Type-1/Type-2 LSAs
In most cases, requires
ongoing operational
maintance
Characteristics
Controls the
In most cases, configdistribution scope of
and-forget
Type-1/Type-2 LSAs
In most cases, requires
ongoing operational
maintance
Distribute lists
Implementing multiple
areas
Summarization
Prefix suppression
Filter lists
Solution
Solution
Distribute lists
Implementing multiple
areas
Summarization
Prefix suppression
Filter lists
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 18
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
8.3 What are the two disadvantages of using distribute list to control the routing table contents in
FABD2 HQ and DC? (Choose two.)
a) Incorrect deployment of distribute lists may cause permanent routing loops
b) OSPF link state database contents may become inconsistent
c) SPF algorithm will need more time to complete due to examining LSA contents against the
distribute list
d) Distribute links in OSPF have no influence on the contents of the CEF FIB on the router
e) Administrative overhead will grow since distribute lists must be deployed on all OSPF routers
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 19
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: OSPF convergence issues in DC
From: Avia;
To: CCIE Candidate
Subject: RE: OSPF convergence issues in DC
Hey,
We liked those ideas about OSPF you brought in!
Now that we’re on the topic, there’s another thing bugging me. You see we have our HQ and DC and
redundantly connected through sw101/sw201 and sw102/sw202 links and since everything is put
into OSPF was 0, the inputting tables in HQ and DC are quite a mess-swamped with routes
Is the just we have been using inbound distributes lists to control the size of the routing tables. In
your opinion. could that still be relevance?
What other options do we have? Sure, we can re-engineer out network and start splitting it into areas
but that’s too intrusive it’s something we’d like to avoid possible. One thing. The topology of our
infrastructure is HQ and DC is very unlikely to change, but end host networks (stub networks) can
come and go quite frequently including being submitted or lumped back together.
Thanks!
FABD2 RP/WAN teams
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 20
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 9
Refer to the new resource(s) available.
This item consists of multiple questions, You may need to scroll down to be able to see all questions.
9.1 Based on current FABD2 design, which switch or switches must perform DHCP Snooping to avoid
DHCP-related incidents in the HQ?
a)
b)
c)
d)
sw110 and sw211
sw110
sw101, sw102, sw110 and sw211
sw101, sw102 and sw110
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 21
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
9.2 If DHCP Snooping was activated on sw110, what interfaces would need to operate as trusted
interfaces?
a)
b)
c)
d)
Port channels toward sw101 and sw102
SVI for management VLAN on sw110
SVIs for VLANs where DHCP Snooping is activated
Ports toward end hosts
Solution
Answer: a
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 22
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
9.3 Which of the following two approaches can be used to avoid breaking DHCP functionally when the
DHCP server runs on a different device than the DHCP snooping device? (Choose two)
a) On IOS based DHCP servers and relay agents, accept DHCP messages containing Option 82
having all-zero giaddr
b) On switches performing DHCP Snooping, disable Option 82 insertion
c) On DHCP servers, allocate IP addresses to clients based on Option 82 remote-id and circuit-id
values instead of client MAC addresses
d) On DHCP clients, preconfigure customized Option 82 contents
e) On IOS-based DHCP relay agents, change the relay policy to replace Option 82
Solution
Answer:
Resources
Improving DHCP security in HQ
From: Network Manager;
To: CCIE Candidate
Subject: Improving DHCP security in HQ
Hello,
In HQ, we recently had an issue when an employee came in, plugged in his laptop and he forgot he
had a linux server VM running in his VirtualBox with a DHCP server enabled. You can imagine the
mess we’ve faced and it took us ages to even find out where the offending DHCP server is!
We understand that the DHCP Snooping feature should be a reasonable protection against it
however, when searching for more details, we ended up with conflicting recommendations. So can
you clarify a couple of questions for us? Just as an reminder, all current and future end hosts on HQ
will be connected only to sw110. Our sw101 and sw102 are DHCP Relay/Agents toward the DHCP
server located on sw211
Thanks! Oh and I appreciate you helping out Avia and Huge
Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 23
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 10
Refer to the new resource(s) available.
What are two parallel reasons for the direct spoke-to-spoke DMVPN tunnel coming up between r62 and
r70? (Choose two)
a)
b)
c)
d)
Shortcut switching is enabled on the DMVPN tunnel of r62 and r70
The EIGRP next-hop self feature is disabled on r24
NHRP Redirects are enabled on the DMVPN tunnel of r24
r62’s NHRP and r70’s NHRP registrations can be seen by each other as they are multicasted over
the same DMVPN tunnel
e) Shortcut switching is enabled on the DMVPN tunnel of r24
f) NHRP Redirects are enabled on the DMVPN tunnel of r62 and r70
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 24
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Unexpected tunnel between r62 and r70
Avia
Travis, sorry to bother you again with this but
something would is going on Actually. I think it
has been going on for a while now, but we only
noticed it while we were troubleshooting that
EIGRP neighbor issue between r24 and r70.
What we saw was that in r70 there was a
DMVPN tunnel up with Branch #3 r62 router.
r70 even learned a network connected to r62
even though this should not be possible since
our hub summarizes everthing to the default
route when speaking to spokes. Our NOC book
for troubleshooting DMVPN tunnels at the
branches does not list this as something we
should see. So cliently this didn’t use to be case
in the past when we made that book.
Travis
What I suspect is this. Do you remember last
year when we hired that consultant to
recommend changes to the DMVPN networks? I
think it is possible that during the design review
we must have missed something
Wow, that’s been a while ago I don’t think we
still have the document of his exact designs and
config recommendations. I know we just cleared
all of them in the designs review and put them
in the network. Hmm…. Have you asked our
CCIE apprentice about his opinion yet?
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 25
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 11
Refer to the new resource(s) available.
Based on the requirements for the security hardening in Branch #3, what is a viable solution?
a)
b)
c)
d)
e)
f)
Protected ports
VLAN ACLs
Private VLANs with two independent community secondary VLANs
Private VLANs with an isolated secondary VLAN
Port ACLs
Private VLANs with an isolated and a community secondary VLAN
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 26
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Tightening down security in branch #3
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidaye’<.com>
Subject: Tightening down security in branch #3
Hello,
Thank you very much for classifying that tunnel between Branches #3 and #4. I really got tense about
that DMVPN – seems like it keeps coming in with mysteries Anyway speaking about Branch #3. I
realized I wanted to ask you something
At Branch #3 we have been considering improving the security of the end hosts. We have several
public-operated terminals connecting there that would best be kept seprated from each other and
also from anyone else. There is also a series of less-than-perfectly trusted end hosts that need to talk
to each other, but again it would be bother if they, as a group. didn’t have access to anyone else on
the branch
I don’t want to spend my IP addressing space on these devices excessively identify all the terminals
and the end hosts I just mentioned should be kept in a single IP network. While we currently have
only a single access layer switch on the site are may be extending that in the future or –if the budget
is too tight –reuse some of the free ports on the distribution layer switches for the purpose of
connecting these hosts. We’d like to solve this with an-approach that’s easy to maintain works
community across multiple switches and if possible. Does not require us to go too crazy with ACLs
defining who can talk to whom. Can you support a solution
Thanks – much appreciated
Travis
Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 27
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 12
Refer to the new resource(s) available.
Drag the QoS configuration action on the left to the correct device on the right, observing the correct
order of the configuration. Not all options are used
Create parent QoS policy with 10Mbps
shaper
Create parent QoS policy handling
traffic classes
Create child QoS policy Handling traffic
classes
Apply the child QoS policy as an NHRPmapped policy on the tunnel
Configure the NHRP QoS group name
Apply the parent QoS policy as a
service policy on the tunnel
Associate the child QoS policy with the
parent QoS policy
Apply the parent QoS policy as an
NHRP-mapped policy on the tunnel
Create child QoS policy with 10Mbps
r24
1 Action
st
r70
Action
2nd Action
3rd Action
4th Action
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 28
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Solution
r24
r70
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 29
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
Slowness in Branch #4
From: ‘Avona Vany;l’<.com>
To: ‘CCIE candidaye’<.com>
Subject: Slowness in Branch #4
Hey,
Wondering if you could help us with something.
We have found that whenever Branch #4 complained about having this issue, 100% coincided with
peak volumes of traffic coming in on r70 interface towards the MPLS service provider. So clearly, we
need to fix this, but we aren’t sure what to do or where to do it. We had choices, but we really don’t
want to impact any of the other branches, so we thought we’d come to you. Really hope you can help
us.
We aren’t sure what information you might need, so here is everything we could think of
Qos is not configure on any of the devices in the datacenter
r21 has a 1Gbps connection with the SP, with a contracted rate of 1Gbps and 4 traffic
classes
r70 has a 1Gbps connection with the SP, with a contracted rate of 10Mbps and 4 traffic
classes
If you could help us figure out how to address the issue that would be great
Avona
FABD2 RP/WAN team
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 30
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 13
Refer to the new resource(s) available.
What change is required to the BGP configuration in the environment of Global SP #1 so that r4 learns
about multiple paths to networks at Branch #3?
a)
b)
c)
d)
e)
On r5 and r6, activate the route reflector function
On r5 and r6, unique RDs need to be configured
On r3 as the route reflector, BGP Multipath feature must be enabled
On each PE, unique RTs need to be configured
On r4 the BGP maximum paths setting needs to be increased
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 31
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 32
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
FW: Regarding BGP routes at our SP
From: ‘Avona Vany;l’<.com>
To: ‘CCIE candidaye’<.com>
Subject: FW: Regarding BGP routes at our SP
Hello,
I noticed something strange the other day in our SP’s network. I was in r4 and I looked at the routing
table for the FABD2 VRF and saw the Branch #3 LAN prefix listed in the BGP table only once I was
surprised because I thought I would see if twice. But no, only listed once.
Travis took a quick look at the SP design and implementation specs and said he thought he knew
what it likely was, but he was just leaving for vacation for a week, so he sent me to you. He said you’d
be able to figure out. He sent me some quick notes, that I have added at the bottom of the email.
Avona
FABD2 RP/WAN team.
From: ‘Travis Handerson’<.com>
To: ‘Avona Vanyl’<.com>
Subject: Tightening down security in branch #3
Avona,
Sorry I can’t be of more assistance right now. just about to go offline for one week of hiking in the
mountain.
I had a quick look at the SP side of things and this is the overall design when it refuses to us (short and
concise – writing this on my cellular)
At our location are place into VRF “fabd2” on relevant PEs (r3,r4,r5 and r6)
RT 100000 1 for import and export
RD 100000 1 on all PEs
LDP deployed on Ps and PEs to distribute labels
BGP used to advertise our prefixes and associated VPN tables
r2 is the BGP route reflector, r4, r5 and r6 have BGP sessions only to r3 as its RR clients
I happened to have a network topology diagram in my phone. Here’s the relevant part.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 33
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
I’m sure our CCIE prospect can assist you in figuring out what the problem is.
Travis
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 34
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 14
Refer to the new resource(s) available.
Which two addresses are the best choices for the Connected FABD2 and RapidStreaming multicast
groups? (Choose two.)
a)
b)
c)
d)
e)
f)
g)
232.2.1.1
232.1.1.1
239.129.1.2
239.2.1.1
232.129.1.1
239.1.1.2
239.1.1.1
Solution
Answer:
Resources
Corporate multicast
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidaye’<.com>
Subject: Corporate multicast
Hi,
Just got of the monthly management meeting and as seen so other before, this gives us some work to
do.
Following the concerns of our branch-based employee about feeling disconnected from what is going
on at the HQ. Our HR conceived the idea of an internal ‘TV channel’ led to all our remote branches
source from the HQ. They still hasn’t decided exactly what kind of content that will be in the feed, but
they have decided on the name ConnectedFABD2
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 35
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Now, this won’t be the first multicast deployment in our network. We already have a multicast feed
deployed in HQ named JustStreaming. These are some quick facts about it.
JustStreaming
Already existing in HQ
High bandwidth
User group 239.1.1.2
Sources and receivers only in HQ
Regarding the ConnectedABD2 feed properties, we assume the following
ConnectedFABD2:
New feed to be introduced
Low bandwidth feed, at least initially
Sources will be located in HQ
Receiving spread across all DMVPN based branches as well as in HQ
Finally….the JustStreaming feed was, in this time deployed in a somewhat rushed and ‘just-make-itwork’ manner. We are looking at eventually replacing it with another feed we call RapidStreaming
which we would this to design properly this time. Assumed properties of RapidStreaming are
RapidStreaming
New feed to be introduced
High bandwidth feed
Will eventually replace JustStreaming
May need to co-exist with JustStreaming for a while
Sources and recievers only in HQ
With all of this in mind, I’d like you to go over things and provide me with some assistance on hour to
approach this. In addition to what I have already started above, please also consider the following
points.
Access and evaluate the IP multicast addressing space in use, do we continue to use it or
should we find something else?
Placement of rendezvous points(RPs) for Connected FABD2 as well as RapidStreaming . Since
both feeds are of high importance, it is essential that we have a resilient RP setup. Whether
it’s active or primary backup is not important to me. I’ll listen to your suggestions.
RP address advertisement across the network, should we use any dynamic RP advertisement
mechanism, or should we go with static RP address configuration
Thanks in advance
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 36
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 15
Refer to the new resource(s) available.
Considering the intended RP design for the High Bandwith multicast range, drag and drop the
appropriate Loop1 configuration on the left to each switch in the diagram. Any Loop1 configuration can
be dropped to multiple switches. Not all options are used
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 37
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Solution
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 38
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
RE: Corporate multicast
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidaye’<.com>
Subject: RE: Corporate multicast
Hi,
Thanks for your input. Based on that and trying to cable in all other comments I received , I have
made the following decisions for our multicast designs.
For High Bandwidth multicast feeds (currently JustStreaming and RapidStreaming)
Allocated multicast group range 232.1.1.1 thru 239.1.255.255
sw101 and sw102 will act as RPs in a high-availability RP design using the IP address
10.1.255.100 as the RP for the entire High Bandwidth multicast range
sw110 is a layer2 only switch and will only run IGMP Snooping and perhaps P/M Snooping if it
is supported there (no big issue if it isn’t)
On routers and multilayer switches, the RP address will be configured statically
239.1.1.101 will be used for RapidStreaming
For Low Bandwidth multicast feeds (currently ConnectedFABD2)
Allocated multicast group range 239.201.1.1 thru 239.201.255.255
Any legacy branch may have receivers that are eligible to join any Low Bandwidth multicast
group
239.201.1.101 will be used for ConnectedFABD2
Please keep this in intend when designing the multicast solution for us
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 39
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 16
Refer to the new resource(s) available.
Considering correct FABD2 design, which two devices are the best choices for placement of the RP for
Low Bandwidth multicast streams? (Choose two.)
a)
b)
c)
d)
sw101
r11
sw102
r21
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 40
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
RE: RE: Corporate multicast
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidaye’<.com>
Subject: RE :RE: Corporate multicast
Hey,
OK, so I apparently opened a can of worms, when I asked my teams about RP placement for our Low
Bandwidth multicast ranges.
Everybody agrees that we will be using redundant RPs with MSDP, but this is where agreement stops.
Everyone seems to have strong opinions on where the RP role should be placed in the network.
Below is a messages of the group that we had earlier today (I have redacted the names to ‘protect’
the professional reputation of my team members 0)
Team member #1: “Let’s just use sw101 and sw102 also as the RPs for all the Low Bandwidth
multicast address stream range.”
Team member #2: “I don’t know if that is wise since those are also the RPs for the High
Bandwidth range”
Team member #3: “Since the sources for all the low bandwidth traffic will be in HQ is VLANs
handled by sw101 and sw102, RP placement these is really the best ”
Team member #4: “Well, since receivers in all DMVPN branches will be able to request a low
bandwidth stream, why not put the RPs of the WAN edge, more specially r11 and r21, as they
are both directly connected to the MPLS cloud? Placing the RPs there is the connect designs
as they will be replicating the multicast traffic from the LAN out the MPLS WAN anyway”
I’m not sure which direction to take from here. All soon like valid ports to the. What do you
recommend?
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 41
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 17
Refer to the new resource(s) available.
What prefixes, along with their label bindings must be advertised by LDP in the MPLS mock lab to enable
MPLS L3VPN services?
a)
b)
c)
d)
Loopback0 prefixes of all PE routers and prefixes of all infrastructure links
Loopback0 prefixes of all PE and P Routers
Loopback0 prefixes of all PE routers
Loopback0 prefixes of all PE and p routers, and prefixes of all infrastructure links
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 42
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
SP #1 Mock Lab
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 43
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
FABD2 building SP #1 mock lab
Attempting to be an equal partner in technical discussions with Global SP #1. FABD2 has decided to
build in mock lab of the MPLS closed run by Cinbal SP #1. Configuration will be tunnel on the Global
SP #1 actual configurations of routers r5 through r5 while excluding router r4. To simulate the MPLS
LJVPN locations. There will be three routers configured simarly to r21, r51 and r62. Because of budget
constraints router r1 and r2 in the mock lab will also be shared with the FABD2 IT Training
departments.
For a specific training scenario. The IT Training department already requested adding 200 additional
loopback interfaces with unique IP addresses to routers r1 and r2 (100 loopbacks on each router) and
advertising them in OSPF
One of them reasons for building MPLS mock lab is to gain a better understanding of how MPLS
works, especially the label part. For the purposes of simplicity and clarity , users of the MPLS mock lab
prefer to avoid seeing any prefixes, labels or any other runtime data that are not necessary for
simulating an MPLS LJVPN with attached CE routers
Routers roles
PE routers r3, r5, r6
P router r3, r2
CE router r21, r61, r62
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 44
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
LDP Label Bindings
Avona
Travis with those 200 prefixes from IT Training
Department, the label bindings on the routers in
our MPLS lab are a mess. I’d like to filter out all
unnecessary prefixes from LDP and keep only
those needed for the MPLS LJVPN to work – so
double-checking with you to avoid screwing
something up
Travis
Now, since Loopback0 is being used as the MPLS
LDP RouterID in all the Ps and PE’s, that
loopback surely must be advertised with a label.
I am not 100% sure about that... Either way, we
need labels for the IP addresses we use for our
BGP VPNv4 peering – and there, we use
Loopback 0 addresses, too. So the labels for
those loopbacks need to be advertised. Anyway.
But I don’t think that we need any additional
labels in LDP besides those.
Yeah… but you know…. The more I think about
it. The more. This convinced that we must also
have labels for the infrastructure links between
the P’s and the PE/PS – because the labels
change hop by hop for the outer label. So I think
the only prefixes we can filter out from LDP to
avoid unnecessary labels are the 200 prefixes
from the IT Training Department.
You may have point here…. This is getting tricky.
Let’s see what our CCIE candidate has to say.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 45
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 18
Refer to the new resource(s) available.
What mechanism and type of deployment would be the most appropriate to accomplish the label
filtering goals as requested?
a)
b)
c)
d)
e)
OSPF Prefix Suppression enabled globally on PE and P routers
OSPF Prefix Suppression enabled on the IT Training Departments 200 loopback interfaces
OSPF Prefix Suppression enabled on the links between PE and P routers
LDP advertisement filter applied to P routers
LDP advertisement filter applied to PE and P routers
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 46
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
LDP filtering too strict
From: Avona Vangyl”<.com>
To:”CCIE candidate”<.com>
Subject: LDP filtering too strict
Hey,
We’ve reviewed our discussion about the LDP filtering, and we’d like to loosen the rules up somewhat
because the strict filtering makes us quite prone to missing some important networks we might have
overlooked it’s important to the that we do, we don’t break the IP connectivity. How about allowing
all labels except the training department’s 200 loopbacks? Would that work? What would be the
best way to implement that kind of filtering?
Avona
FABD2 RP/WAN team
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 47
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 19
Refer to the new resource(s) available.
What is the proper approach to prevent the MPLS cloud from revealing its internal infrastructure to the
attached endpoints?
a)
b)
c)
d)
Egress ACIs placed on PE-CE links
MPLS TTL Propagation disabled on PE routers
MPLS TTL Propagation disabled on routers
ICMP Unreacheables disabled on the Null0 interface on PE and P routers
Solution
Answer:
Resources
Protecting MPLS lab internals
From: Avona Vangyl”<.com>
To:”CCIE candidate”<.com>
Subject: Protecting MPLS lab internals
Hey,
I was testing the connectivity through our MPLS lab, and things work nicely. But one thing I don’t like
is the fact that the MPLS lab reveals its internal addressing when doing traceroute, for example. Our
real provider does not do that. How are they doing that? ACLs? I’d like to have their behavior
replicated as closely as possible.
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 48
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 20
Refer to the new resource(s) available.
Given the description of the issue, which of the following statements would explain the symptoms
described in the e-mail from Travis?
a)
b)
c)
d)
The hosts resolved their own hostnames to IPv6 addresses in DNS
IPv6 unicast routing was not enabled on sw101
The M-flag was not set in Router Advertisements
There was no IPv6 IGP running in VLAN 2001
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 49
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
IPv6 implementation in HQ
From: Avona Vangyl”<.com>
To: “CCIE candidate”<.com>
Subject: IPv6 implementation in HQ
Hey,
We’ve been considering deploying IPv6 in our HQ in a limited fashion, just one VLAN for the time
being, to play with it. To make things simple, we’ve configured sw101 as the DHCPv4 server for VLAN
2001, enabled IPV6 on the SVI assigned the global prefix to the SVI, and at first, it seemed like
everything was working okay – but then we realized that there are no bindings created on the
DHCPv6 server, and what’s more. When we removed the DHCPv6 configuration from sw101 (so part
of our preparations to migrate it to the central DHCP server as sw211.) the hosts in the VLAN 2001
were still getting IPv6 addresses with the proper profile. But how’s that possible? There’s no static
IPv6 configuration on the end hosts anywhere
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 50
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 21
Refer to the new resource(s) available.
Given the description of the issue, what are the two reasons for the absence of RAs breaking the IPv6
connectivity? (Choose two.)
a)
b)
c)
d)
The end hosts considered the IPv6 to be disabled in their network.
The end hosts could not locate their default gateway.
The sw101 and sw102 switches stopped routing IPv6 traffic on SVI for VLAN 2001.
The sw101 and sw102 switches stopped advertising the global prefix on SVI for VLAN 2001 in
EIGRP
e) The end hosts could not locate their DHCPv6 server
f) The end hosts did not have the necessary information for an autoconfiguration mechanism
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 51
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: IPv6 implementation on HQ
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: IPv6 implementation on HQ
Hello,
Thanks for the response! We have fixed the configuration and DHCPv6 started working
We have started extending the IPv6 further in the HQ, aside from sw101 and sw102 VLAN 2001, we
also extended it southward to r11 and r12 – we just enabled IPv6 with link-local addresses on those
connections and started running EIGRP for IPv6 across all those devices, and we could see r11 and r12
learning the global prefix from sw101 and sw102 nicely. Then, following some best practices we read
about, we decided to lighten down our IPv6 environment in VLAN 2001, and so we disabled RAs on
sw101 and sw102 SVIs for VLAN 2001 to prevent leaking address information and having hosts jump
on that intend of using DHCPv6, But this broke our IPv6 connectivity in VLAN 2001, so we had to
receivable them. But I wonder – why this happen?
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 52
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 22
Refer to the new resource(s) available.
What would be the proper approach to meet the security requirement as stated by Travis?
a)
b)
c)
d)
Implement IPv6 Secure Neighbor Discovery (SeND)
Enable RA Guard
Suppress the prefix information in RAs
Decrease the frequency of sending out RAs
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 53
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: RE: IPv6 implementation on HQ
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: RE: IPv6 implementation on HQ
Hey,
Okay, so we renabled RAs. But how can we have the cake and eat it, too? We definitely want to avoid
some wrongly implemented hosts to continue ignoring DHCPv6 and inserting their own addresses,
even if they fall into the proper global prefix scope, and overall, we don’t want some eavesdropper to
given on the sensitive information from the RAs.
Ideas?
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 54
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 23
Refer to the new resource(s) available.
23.1 This item consists of multiple questions you may need to scroll down to be able to see all questions
For each gateway redundancy mechanism, select which characteristics are applicable on an IOS-based
platforms, if any (select all that apply)
HSRP
VRRP
IPv6 RA
Active role in one
instance can control
roles in other instances
Non proprietary
mechanism
Active role can be
coupled with
mechanisms such as
DHCP Relay or IPsec
Support active-active
load balancing out of
the box
Transparent to end
hosts
Can be coupled with
BFD
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 55
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Solution
HSRP
VRRP
IPv6 RA
Active role in one
instance can control
roles in other instances
Non proprietary
mechanism
Active role can be
coupled with
mechanisms such as
DHCP Relay or IPsec
Support active-active
load balancing out of
the box
Transparent to end
hosts
Can be coupled with
BFD
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 56
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
23.2 Given Travis preference, what would be the first hop redundancy mechanism of choice?
a)
b)
c)
d)
e)
f)
HSRP or VRRP
VRRP or IPv6 RAs
HSRP only
VRRP only
IPv6 RAs only
HSRP or IPv6 RAs
Solution
Answer:
Resources
RE: RE: RE: IPv6 implementation on HQ
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: RE: RE: IPv6 implementation on HQ
Hi,
As part of implementing IPv6 in HQ, we have been thinking about IPv6 gateway redundancy, too.
We’ve been looking at HSRP, VRRP AND IPv6 RAs. They all seems to essentially provide the same level
of redundancy is fact, the difference between them are kind of blurry to me. Can I tap into your
expertise once again to better for this?
In the end, we would like to pick and tune the protocol to allow end hosts to switch over to another
gateway within 1 second is most, does not inundate the end hosts with excess traffic to process, and
whole inner workings are simple.
One thing – I definitely prefer open protocols. I will only go with proprietary mechanisms if I have no
other choice.
Cheers
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 57
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 24
Refer to the new resource(s) available.
When building the overall SD-WAN policy to meet the Payment Card Industry requirements for the Point
Of Sale (POS) terminals at Branch #1 and Branch #2, what three steps must be accomplished in
vManager? (Choose three.)
a) Create an ACI at Branch #1 and Branch #2 blocking their direct mutual communication
b) Create POS VPN AND VPN interface feature templates and apply them to Branch #1 and Branch
#2 device templates
c) Apply the policy outbound to the Site IDs of Branch #1 and Branch #2
d) Apply the policy outbound to the Site ID of the DC
e) Create a policy to set the TLOCs for Branch #1 and Branch #2 POS OMP routers to the DC
TLOC(s)
f) Block Branch #1 and Branch #2 from learning each other’s TLOC routers
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 58
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 59
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
SD-WAN PoC
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: SD-WAN PoC
Hi,
While we have been keeping you busy in other thing, we have already started yet another project in
the background. A Proof of Concept implementation of SD-WAN and SDA on two new sales. Branch
#1 and Branch #2. These branches are connected through in different service provider, Global SP #2,
which in terms connects them to the router r22 in DC. Also, both branches connect to our ISP.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 60
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Since SD-WAN deployment has already been done, on both Branch #1 and Branch #2, we have
created two VPNs. Employee and Guest, and these are working in the full mesh mode just fine. Now,
however, we need to extend both the branches and DC with another VPN for Port Of Sale (POS)
terminals. Since these terminals process credit cards, it is imperative that the Payment Card industry
(PO) requirements are not. In short, these are requirement
On each branch, Port Of Sale (POS) terminals must be on a different network segment,
isolated from any other networks on the branch.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 61
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Under no circumstances may POS terminals on Branch #1 communicate directly with POS
terminals on Branch #2 and vice versus. Any such communication be instead routed through
the data center where we have the necessary firewalls in place.
This is departure from the full mesh SD-WAN we have right now, and I am not entirely certain how to
implement it. I’d appreciate your guidance here.
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 62
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 25
Refer to the new resource(s) available.
Based on the given constraints and existing design, which two steps can be performed to provide WAN
transport redundancy at Branch #2 (Choose two.)
a) On the link between vedge51 and vedge52, create 802.1Q subinterfaces as necessary and use
them as TLOC extensions for each vEdge’s transport
b) Add a second physical link between vedge51 and vedge52 and use the links as TLOC extensions
for each extensions for each vEdge’s transport
c) Configure a backup default route on each vEdge pointing to the address of the neighboring
vEdge’s TLOC extension interface
d) Configure an outbound localized policy on each vEdge to add the TLOC of the neighboring vEdge
to the advertised OMP routes
e) Run OMP between vedge51 and vedge52
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 63
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: SD-WAN PoC
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: SD-WAN PoC
Hello
I’ve got some doubts Branch #2 and its WAN redundancy
When we originally designed Branch #2, we wanted to purchase two MPLS circuits and two internet
circuits to ensure transport independence. But now the management started having second thoughts
– they said they won’t sanction additional expenses. That means that we are stuck with what have
right now – we cannot procure additional equipment, install additional physical connections, circuit,
or use additional providers. The management who said that since both Branch #1 and Branch #2 have
a direct connection to the ISP, we should avoid backhauling the element bound traffic from these
branches through the data center.
I was wondering it, given our current design we could still somehow leverage our redundant
connections at Branch #2
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 64
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 26
Based on the given constraints and existing design, which two steps can be performed to ensure that
internet-bound traffic from Branch #2 is not sent via the data center?(Choose two.)
a) On Vedge52, configure NAT to VPN 0 on the interface connected to the vedge51 TLOC extension
interface for the internet transport.
b) On vedge51, configure NAT to VPN 512 on the interfaces toward the ISP.
c) On vedge51, configure NAT to VPN 0 on the interface toward the ISP.
d) On vedge52, configure NAT to VPN 0 on the interface toward SP #2.
e) On vedge51, configure NAT to VPN 0 on the TLOC extension interface for the internet transport.
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 65
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 27
Refer to the new resource(s) available.
Which two steps are required to implement the desired Guest VPN design? (Choose two)
a) Implement a localized data policy that blocks Guest VPN traffic between SD-WAN branches.
b) Configure a centralized VPN membership policy that only allows Guest VPN prefix to be
advertised in OMP.
c) Configure a centralized VPN membership policy that restricts the Guest VPN prefix from being
advertised in OMP.
d) Configure centralized data policy that perform NAT of Guest VPN traffic to VPN 0.
e) Configure a localized control policy that rewrites the TLOC of Guest VPN routes in OMP to
0.0.0.0.
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 66
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Guest VPN addressing on branches
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: Guest VPN addressing on branches
Hello,
Thank you very much for the help with the SD-WAN technology so far. Really amazing work!
One more request… We have decided to streamline our Guest VPN deployment on every current and
future SD-WAN enabled branch. Instead of allocating unique IP prefix for the Guest VPN on a per
branch back, and given the fact that we don’t provide any services aside from internet access in the
Guest VPN, we have decided to use 10.100.100.0/24 as the Guest VPN prefix at every SD-WAN
enabled branch . You already helped us to make sure that internet-bound traffic will break our locally,
and this remains valid for the Guest VPN even after this change. In addition, we also want to ensure
that there is no connectivity between Guard VPNs across branches.
Can you suggest the steps we need to know? Thanks!
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 67
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 28
Refer to the new resource(s) available.
Given the intended scope of SDA fabric deployment on Branch #2, which option represent the smallest
applicable IP pool in DNA Center to support LAN Automation on Branch #2?
a)
b)
c)
d)
e)
one /24 subnet
one /26 subnet
one /27 subnet
two /26 subnet
one /25 subnet
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 68
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
SDA addressing
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: SDA addressing
Greetings,
Now that we have the SD-WAN topology and associated policies successfully in place. I am looking at
utilizing SDA fabric in Branch #2.
We’ve discussing something that is not deployed on the branch yet, and we’re not sure if we are even
going to implement this, but we wanted to know some ideas around and discuss them with you.
From what we know. DNA Center can provision the underlay itself – it’s called the LAN Automation.
However, there seems to be certain requirements regarding the address pools put into DNA Center
so that the LAN Automation works. The SDA fabric at Branch #2 may consist of up to three edge and
two border switches, with each edge switch having a connection to both border switches. Once again,
the SDA is not implemented on Branch #2 yet but it is planned. Here’s a diagram of the planned
deployment.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 69
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Released: 19-May-2021
Page 70
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 29
Refer to the new resource(s) available.
Which option represents the smallest applicable IP pool in DNA Center to support the planned Layer3
VN handoffs on Branch #2?
a)
b)
c)
d)
one /25 subnet
one /26 subnet
one /24 subnet
two /26 subnet
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 71
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Planned SDA Deployment on Branch #2
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 72
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
RE: SDA addressing
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: SDA addressing
Hello,
I totally forgot to ask you.
We will be deploying three VNs on Branch #2 Employee, POS and Guest. We would like DNA Center to
automotive that L3 handoff from the border nodes to the vEdge routers as well, along with
DEFAULT_VN and INFRA. What should be the smallest IP pool in DNA Cente we need to allocate for
these handoffs?
Thanks!
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 73
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 30
Refer to the new resource(s) available.
Which two design options are applicable to provide transit between planned SDA fabrics in Branch #1
and #2, considering the future plans? (Choose two)
a) Deploy IP Transit between Branch #1 and Branch #2
b) Deploy a Transit Control Plane node in Data Center to facilitate the transit between Branch #1
and Branch #2
c) Deploy SDA Transit between Branch #1 and Branch #2
d) Use BGP as a handover protocol between SDA border nodes and SD-WAN vEdge routers
e) Combine Branch #1 and Branch #2 into a single multi-location SDA fabric site
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 74
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
Transit between SDA branches
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: Transit between SDA branches
Hello,
The management come back with a question. Assuring we had Branch #2 already running on SDA,
and we also implemented SDA on Branch #1 with the same VNs, what would be the way of
interconnecting these branches when a single fabric doesn’t? The SD-WAN as a transport technology
stays, of course, but the SDA documentation takes about two types of interconnections. IP Teams and
SDA Teams. The SDA Teams seems to be far superior – allows carrying SGTs end-to-end is able to
extend VXLANs if necessary. But I am not sure if that is possible with SD-WAN setting between the
branches, on top of it, we are looking at leveraging Application Aware Routing in SD-WAN in future
for the transisitng VNSVPNs.
So I’m unsure what options we have here. Can I pick your brain once again?
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 75
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 31
Refer to the new resource(s) available.
Drag the options on the left and drop them in any order into the two corresponding categories on the
right, indicating the best practice where these options should be added in DNA Center. Not all options
are used
UDLD
Anycast GWs
VTY ACLs
Spanning Tree (MST)
SNMPv3
TACACS+servers
Port Security
Application Policy
DNA Center GUI Workflow
Option 1
Option 2
Option 3
Option 4
DNA Center Template
Option 1
Option 2
Option3
DNA Center GUI Workflow
DNA Center Template
Solution
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 76
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
DNAC is… confusing
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: DNAC is… confusing
Hi,
The DNA Center appliance in our data center is now up and running. I’m trying to start out by building
a few policies, but I am a bit confused, since this is all new territory for me. (And probably the rest of
us too.) I have analyzed the configuration is the existing infrastructure and picked a few areas that I
want to build out in DNA Center but need some help getting started. The areas the working on are:
1.
2.
3.
4.
5.
6.
7.
8.
TACACS+ servers
UDLD
Spanning Tree (MST)
Port Security
SNMPv3
VTY ACLs
Anycast GW
Application Policy
Can you help me out?
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 77
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 32
What are two possible ways of ensuring that authorized local administrators in the Employee VN on
Branch #1 or Branch #2 can still access the local SDA border nodes using their loopback addresses
through in-band SSH access? (Choose two.)
a)
b)
c)
d)
e)
Utilize an external firewall for controlled inter-VN communication.
Utilize a vEdge router as a fusion router.
Deploy console terminal servers.
Implement IS-IS redistribution between VNs.
Set up fabric SGACLs permitting this communication.
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 78
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 33
Refer to the new resource(s) available.
What are the two valid design options for deploying QoS on the SDA branches that will meet FABD2
requirement? (Choose two.)
a)
b)
c)
d)
e)
Extend the existing queuing model into a new 4/5 class model.
Use the DNA Center templates to rebuild the QoS policy.
Leverage the SGT-based QoS.
Use the DNA Center to define business-irrelevant application sets.
Use the DNA Center application policy to rebuild the QoS policy.
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 79
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
QoS policies for SDA
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: QoS policies for SDA
Hi,
Since forever, we have been using switch-based QoS policies as we haven’t had a tool to deal with
QoS provisioning at all. In our legacy deployment, our ingress QoS policy is to treat DSCP makings, and
on agress, we are currently using the 1 priority queue, 3 round robin queue, 8 weighted drop
thresholds queuing setup.
The approach has always been causing some headaches. Some of the most commonly heard issues or
complants. I have received are:
Not able to accommodate new video applications or meet future growth.
Can only match applications based on L3 and L4 information, not based on true applications
flows
Not able to mark down irrelevant to our business
Hard to maintain consistent QoS policy acess different platforms
Now that we are looking into implementing QoS in our Branch #1 and Branch #2, we would like to
make it right, adopting the Cisco LAN QoS best practors and avoiding the issues I have listed above
I am reaching out to you with a request to provide some input as to how we should approach this in
an SDA content.
As always, thanks!
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 80
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 34
Refer to the new resource(s) available.
Given the requirement, what would be the best way to implement the logging on r21?
a)
b)
c)
d)
SNMP poling and processing the results offline
Local scripting on the router using a procedural language
NETCONF poling and storing results on the routers
Use a Python script to access the router CLI remotely through SSH and drive the output
collection
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 81
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
Saving command outputs
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: Saving command outputs
Hello,
We have recently been having issues with the SP #1 on r21 in DC – I’m really glad that we’ll be moving
off to SP #2, but till then, I have to put on a fight with them to have the stuff fixed, and need some
evidence is test them over their heads with
What’s happening is this from time to time, the BGP session between r21 and the SP#1 PE router
flaps. When it comes up again, it takes several minutes before we learn any prefixes from the PEs
SP#1 in taking us that we are not aware of any issues with their PE’s but I am suspecting that they are
somehow late in scheduling the updates to be sent to us. What I would like to do in a logging setup
that would record these outputs.
Snapshot of the BGP neighbor statistics (show ip bgp summary)
Complete BGP (show ip bgp)
Every received route from the respective PE pulled out through show ip bgp neighbor X.X.X.X
routers. Its detailed view (show ip bgp N.N.N.NM)
I want the logging to be done automatically and independtly by r21. Both periodically every minute,
and on top of it, in the moment of the BGP session coming up. I intend to allow SP #1 a read only
access to r21 s)
I would appreciate any thoughts on how to implement this.
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 82
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 35
Refer to the new resource(s) available.
Which are the characteristics of the different scripting method? (For every scripting method, select all
characteristics that apply.)
EEM Python Policy
EEM Applet calling a
standard Python script
Standard Python script
without EEM
Requires guest shell
Allows sharing the
same Python script for
periodic and triggered
collection
Allows scheduling a
periodic collection run
Allows triggering the
collection run on a BGP
session event
Allows running the
Python script manually
outside EEM
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 83
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Solution
EEM Python Policy
EEM Applet calling a
standard Python script
Standard Python script
without EEM
Requires guest shell
Allows sharing the
same Python script for
periodic and triggered
collection
Allows scheduling a
periodic collection run
Allows triggering the
collection run on a BGP
session event
Allows running the
Python script manually
outside EEM
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 84
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: Saving command outputs
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: Saving command outputs
Hi,
Thanks for the ideas. Taking them into account, and reversing the available IOS-XE docs. I’ve decided
to proceed with local Python scripting on r21.
I have to say though that the docs are not entirely clear to me. I initially thought that I need to write a
Python script that does everything itself – run is an infinite loop, waiting for either the 1-minute timer
is expire or for the EGP – session event to line, do the collection as intended, and keep this repeated.
But the documentation seems to suggest that I need to use EEM and from these, call the Python
script. They ever talk about on EEM Python Policy using the ‘Import ever’
Which I don’t understand how it differs from a normal Python script.
Can you help me understand what the differences here are?
As always – appreciated
Travis
FABD2 Network Manager
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 85
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 36
Refer to the new resource(s) available.
Given the circumstances, what is the best option for Anna to develop and debug her scripts before
deploying them on FABD2 production network?
a) Use the production network while executing REST API calls bundled in a transaction and rolled
back at the end without a commit
b) Perform the development and debugging on the production network during dedicated
maintenance windows
c) Create a lab repro for development purposes
d) Use DevNet SD-WAN sandbox labs
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 86
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
SD-WAN Automation Development
Avona
Travis, I would like to test out a couple of
automation scripts for our SD-WAN deployment
I’ve been developing myself – was looking into
gathering data such as inventory of devices,
some real-time monitoring and remote device
reboots. I am so excited to put this testing
done! Would love to start right away. Just
wanted to list you know
Travis
Wait. You want to test the scripts you’re
developing yourself on our networks?
Yep Don’t worry. Those APIs are nondisruptive
Avona. I don’t think it’s a good idea. This is a
production network, you know I trust you, but I
don’t want experiments on it at any point in
time. The APIs may be ‘non-disruptive’ in
themselves, but a minor mistake in the script
could render even a harmless, API call
disruptive. Just call it in a tight infinite loop, and
we have a DoS on our hands. So, sorry. But no.
No development and testing on our production
network, only something that has been tested
and debugged elsewhere.
Well.. Oh But what are my options, then?
Nobody writes flawless code without need to
debug it. Every now and then. Should I do a lab
repro of our SD-WAN, then? But that’ll take lots
of time to set everything up, and we’d need to
buy extra license for it.
Hmmm. Lab repro is an option, but requires
considerable investments, which is outright
impossible to justify in this case. But let’s ask
our CCIE –to-be what options we have for doing
this kind of testing without putting our
production network in jeopardy
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 87
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
QUESTION 37
Refer to the new resource(s) available.
This item consists of multiple questions you may need to scroll down to be able to see all questions
37.1 What authentication mechanism is used for API calls to vManage?
a) basic HTTP authentication with every API call
b) authentication token in HTTP headers obtained after a call to/auth/token with credentials
passed as HTTP basic authentication
c) client X 509 PKI certificate presented with every API call
d) session cookies obtained after a call to /I_security_check with credentials passed in the request
body
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 88
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
37.2 What is the nature of the value for the deviceId key for a vEdge?
a)
b)
c)
d)
hostname
license number
device channels number
certificate serial number
Solution
Answer:
37.3 What is the purpose of enclosing the deviceIP / deviceId object into square brackets in the JSON call
template?
a)
b)
c)
d)
The request can hold multiple deviceIP / deviceId object as a list
The square brackets and readability but are not mandatory
The square brackets introduce an optional part of the request
The deviceIP / deviceId object is a nested object inside another one, with nesting requiring the
use of square brackets
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 89
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
Resources
Questions regarding SD-WAN API calls
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: Questions regarding SD-WAN API calls
Hi,
So, I’ve started playing with the SD-WAN APIs but I realized that I was too optimistic about me
understanding how they work. Can I pick your train on this?
For my experiments, I have picked the vEdge reboot API call. The URL should be
https://vmanage/dataservice/device-action/reboot and the JSON request template from the docs
looks like this
(
“action” I “reboot”
“deviceType” l “vedge”
“devices” : |
(
“deviceIP” l “1/2.16.255.11”
“deviceIP” l “face13fa.d dn1-4000-9344-s1000p04o14dd”
)
)
)
I have a couple of doubts here.
How do we authenticate to vManage? I don’t suppose the API is unprotected for anyone to
just send API calls as they please, but the docs for the reboot API did not mention any
authentication at all.
This devideid in the template – I don’t know what value to put there
Why is the ‘deviceIP’ pair enclosed in the square [] brakets? They seems to simply double the
curly [] brackets which I see point for
Thanks.
Avona
FABD2 RP/WAN team.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 90
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 38
Refer to the new resource(s) available.
Which two of the following changes to the script would shorten its running time without impairing its
functionality? (Choose two.)
a)
b)
c)
d)
e)
Construct the JSON body of the request manually instead of using the json.dumps0 method.
Execute the loginAPI0 only once and reuse the session for multiple API calls.
Use the put0 method instead of post0 to pass the reboot API call.
Combine device IP/ID pairs into a list and pass them all in a single API call.
Refer to the vManage by its DNS FQDN instead of its IP address.
Solution
Answer:
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 91
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
Resources
RE: Questions regarding SD-WAN API calls
From: ‘Travis Handerson’<.com>
To: ‘CCIE candidate’<.com>
Subject: RE: Questions regarding SD-WAN API calls
Hi,
Thanks a lot! It worked!
I have one more question if you don’t mind. I’ve been looking at the performance of my script, and to
stand the API calls to reload 2 vEdges, it takes the script around 2 seconds to complete. I played
around with the script, adding more vEdge IPs and IDs to find out how the amount of vEdge plays a
role in the script execution time, and it seems that sending a reload request for any single vEdge
takes about 1 second, the time growing linearly with the number of vEdge to reload. That feels way
too long to be honest. Something’s wrong here that’s delaying the run of my script, but I cannot find
out what. Can you have a look at it? Oh, I’ve omitted the body of the loginAPI() function to keep the
below output short.
Import request
Import sys
Import json
From requests.packages.erilliso.exceptio.import.Insecurerequestwarning
Requests.packages.er 1lip3.fixavle_warning (InsecureRequestWarning)
.def .loginAPI (host, username, password) :
* body omitted
Return session
Def reloadAPI (host, username, password, ip, id)
session * LoginAPI (host, username,password)
request * (‘action’ : ‘reboot’ , ‘deviceType’ : ‘vedge’ , ‘devices’ I [] }
request | ‘device’ | append ( {‘deviceIP’ : IP , ‘deviceId’ : id ) }
sp1 – ‘https://’’ * host – ‘/dataservice/device/action/reboot’
headers * ( ‘Content - Type’ | ‘application’json’ )
return session.port (SP1 SPI 1, data*json.dumps (request), headers header, verifyfalse)
device * {}
devices update ( ( ‘1.1.2.3’ : ‘o7c150fb-1tbe-2tb4-2be1-2sbdcb9?afc3’ ) )
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 92
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
devices update ( ( ‘1.1.2.3’ : ‘2e24c1de-7tbe-2235-abc9-93492abccdb’ ) )
For ip in devices
Response : reloadAPI (’10.2.263.11’. ‘admin’, ‘admin’ , ip , devices {ip} ) )
Print (response-content)
Thanks!
Avona
FABD2 RP/WAN team
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 93
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Module 1 - Design
Released: 19-May-2021
QUESTION 39
You have reached the end of exam module 1.
Click “End Exam Section” in the main screen in order to proceed to module 2.
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 94
Module 1 - Design
CLC CCIE Enterprise Infrastructure Real Lab v1.0 - Design
Released: 19-May-2021
CLC CCIE Enterprise Infrastructure Lab v1.0
*****************The End*****************
Web: https://ccielabcenter.com | Mail: care@ccielabcenter.com | Telegram: t.me/cciestudygroup
Page 95
